Microsoft to simplify the issue of security patches

Microsoft plans to simplify the way it issues security patches over the next 12 months as one of the key steps in its $100m...

Microsoft plans to simplify the way it issues security patches over the next 12 months as one of the key steps in its $100m (£63m) drive to improve the security of its software and Windows operating system.

The supplier, in an acknowledgement that security patches are a source of frustration for IT departments, said it is working on plans to create a single, automatic patch-update system for all Microsoft products.

The move follows complaints from IT departments that staff have to use three different update mechanisms to keep desktop PCs patched with the latest Microsoft security releases - a problem that is multiplied when organisations use software from a range of suppliers.

The issue came to the fore in January, when the Slammer virus infected an estimated 75,000 unpatched machines within 10 minutes.

"Each of our product groups are working to put all of the patch processes into a single mechanism. There are a lot of engineering problems to resolve but our hope is that over the next year we will get down to two installment technologies," said Stuart Okin, chief security officer at Microsoft.

Microsoft is also creating common standards for patches across its development groups to ensure that they install into systems in a similar, predictable way. They will enable IT departments to test the patches before deciding whether to install them into their desktop infrastructure.

In parallel, Microsoft said it is working with application developers to improve the stability of applications when IT departments apply new patches. Developers will be able to use the security library in Microsoft's .net framework to make applications safer.

The next version of Windows, due to be released this year, will be the first in which features are locked down by default to improve security, Okin said. IT managers will have to turn on the functions they need to use, rather than spending time trying to lock down the system to make it secure.

"Many of our customers were exposed to Code Red and Nimda because Internet Information Server was loaded and installed by default in the background," said Okin. "But because people did not need it, they did not manage it, and they were not downloading the patches."

Microsoft plans to "institutionalise" its security training drive over the next 12 months and will focus on improving its security-related documentation, including improved security guides for its programmers, said Okin.

Read more on IT risk management